Threat behavior
Backdoor:WinNT/Festi.A is a backdoor trojan that allows limited remote access and control. It retrieves instructions and commands from a remote attacker by connecting to a remote website and downloading data. The commands could instruct WinNT/Festi.A to distribute spam.
Installation
<system folder>\drivers\<random file name>.sys
The dropped component is loaded into memory. It hooks system APIs to prevent accessing the executable and to hide its presence in the registry services list.
Payload
Bypasses installed firewalls
Backdoor:WinNT/Festi.A hooks "\\Device\Tcpip" to enable the trojan's network traffic to bypass installed firewall software. In addition, the trojan creates firewall policies to allow arbitrary inbound UDP/TCP port connections by modifying the registry in the following subkey:
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List
Downloads configuration data
Backdoor:WinNT/Festi.A connects to a remote IP address to retrieve commands that could instruct the trojan to distribute spam.
Analysis by Vincent Tiu
Prevention